tower_http::services::fs::ServeDir
didn't correctly validate Windows paths, meaning paths like /foo/bar/c:/windows/web/screen/img101.png
would be allowed and respond with the contents of c:/windows/web/screen/img101.png
. Thus users could potentially read files anywhere on the filesystem.
This only impacts Windows. Linux and other unix likes are not impacted by this.
See [tower-http#204] for more details.
{ "nvd_published_at": null, "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-08-11T15:36:42Z" }